Overview

overview

10

Static

static

1

Würth fac...DF.exe

windows7-x64

8

Würth fac...DF.exe

windows10-2004-x64

10

Xylophone/...rs.ps1

windows7-x64

3

Xylophone/...rs.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29102024_1601_29102024_Würth factura 4052299769.PDF.rar

  • Size

    742KB

  • Sample

    241029-tgl27sxper

  • MD5

    58548c79c502f4e07f3e68142878ab0e

  • SHA1

    2c0e8eebafb0d0a6a0844bb8c5bdef2744766cf6

  • SHA256

    1bab67596abed809b1daad1c32afa1866c090e72c28e3542f90ac468e33cd617

  • SHA512

    f78210e1188710603b51a1a370d90bcd8bba94050997ee3e992ec93f3d2fb89c94774401504ea69c7a578168cdc44bb426da53005f04c5a4643a1eb25c85b448

  • SSDEEP

    12288:f0KzCO5Ddf8t0DJP7/SHicxnzRSZ0kTMnCikFSsjLJ6TQ7ZbXJS+O8QOI4:8aCu40DJOCSnzRSZTO9sjlBxXjZQO1

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Würth factura 4052299769.PDF.exe

    • Size

      757KB

    • MD5

      c4da846cd671f4f992c3bcef32684747

    • SHA1

      a0d88c6636c2fbc77553eaf628f8b3380edb831f

    • SHA256

      0db03e42aae3a3fde2281d82c6b945a6ade7b4779692e144c77d95ea614fc335

    • SHA512

      cc1cd50209b02a4812039f5b94384229dcd8edbca2aee3882c4d59be04ac600d30062cc37f8560a1e144b3c1f7fcad3a91ea3750720826c2aa3788951ea3bf17

    • SSDEEP

      12288:+PgQ7v2gNUkDRtE6nlQ3k2orL/Ksqr8uBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEif:yjNzDRtbQ02or+H5yRQLvf81BV2m6io+

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Xylophone/navnerkkers.Kry

    • Size

      52KB

    • MD5

      c59294d923c1b7ea290826eea833e9f9

    • SHA1

      e201fb284f4f12fbeeaaa36efd491ebbb460b9a4

    • SHA256

      b0132ac8258807bf4c97dd745636f3cfc5ca10747b1db4e9d22c7d79c4dbbaef

    • SHA512

      22e168861e7f62d3bc9e78b70a88567afe450bb400b372eaa483a845bea0689b7b799463542a23bdf6fbebf780d608015119c3338f8d5f361934884f65cc9a04

    • SSDEEP

      768:aybeDP2XY8llbt96T3dYn+fZIcLr2VzD5+gDB7h3RYGMx2fkuD3EPEQI0Y0SKt:DaGlM3WnGZXm51+gDhLtMx2fNfBlKt

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks